n the last three years, the Malawi government has passed a lot of legislation, among these, is the National Registration and Identification System (NRIS), which according to the National Registration Bureau, is aimed at addressing the lack of universal and compulsory registration – the NRIS allows Malawians to have a national ID.
According to UNDP, one of the main funders of the exercise, 9 million Malawians have registered as of October 2019. This shows that Malawians have generally welcomed the exercise. Meanwhile, the registration in on going all District Offices where anyone turning 16 years can register and have their ID card issued.
Reasons for the general acceptability of the ID registration differ and in absence of any survey it is difficult to generalise the reasons but it can be speculated that among the reasons is that the majority of Malawians lacked any form of ID to do daily transactions. Majority Malawians do not have a passport or driver’s license and yet advance in technology, mobile banking for example, has increased demand for IDs in the country.
Following the NRIS exercise, the national ID has become increasingly become the only form of identification for most public transactions and registrations. In 2018 Malawi government through its telecoms regulator, MACRA, rolled out mandatory SIM Card registration, this is provided for in PART XI of Communications Act, 2016. The voter registration for 2019 tripartite elections required the national ID as a form of identification; and now commercial banks in the country have rolled out what they are calling “know your customer” (KYC) exercise, in which clients have to update their personal information with the banks. This time the banks are only accepting the national ID as a form of identity for Malawians, and passport for none Malawians.
This means that in a very short space of time Malawians have given away a lot of their personal data to both private and public institutions. All the data is tied to one’s national ID. This includes our communication data through our SIM Card enabled communication – internet, text messages and voice calls. But who how safe is this personal data? During the voter registration exercise did we not hear of Malawi Electoral Commission found abandoned in Mozambique? How do we ensure that our personal data is safe? How can we be sure that no third parties have access to our personal data? Who should be held accountable in case of any data breach?
These are legitimate questions, especially as any breach of personal data has implications on personal privacy. Privacy is inviolable right and it is constitutionally provided for under article 21 of Malawi constitution. Often people argue that you should not worry about privacy if you have nothing to hide. Yet, privacy does not mean that you have something to hide.
Journalist, Glenn Greenwald observes that privacy is important because we all need places where we can go to explore the issue without the judgmental eyes of other people being cast upon us. He argues that their people have all kinds of things they want to keep a secret that has nothing to do with criminality. He adds:
“only in a realm where we’re not being watched can we really test the limits of who we want to be. It’s really in the private realm where dissent, creativity and personal exploration lie… When we think we’re being watched, we make behaviour choices that we believe other people want us to make … it’s a natural human desire to avoid societal condemnation. That’s why every state loves surveillance — it breeds a conformist population.”
In the wake of mass personal data collection, Malawi needs personal data protection legislation, and this legislation should have been in place before the NRIS and what has followed that exercise. Data protection is important in order to prevent third parties from accessing personal data and also stopping the authorities abusing personal data they collected in good faith.
Personal data protection is crucial for freedom of choice and freedom of expression. People are unable to express themselves freely in the presence of watchful eye on everything that you are doing, browsing on the Internet for example. Inevitably, this has a chilling effect on activists, human rights defenders and other vulnerable communities as these groups can easily be targeted by both state and non-state actors.
The mass collection of personal data in the absence of data protection law should be of concern to all Malawians as it has the capacity to allow state surveillance. Furthermore, the mandatory SIM card registration in the absence of data protection laws means that our private communication, online and offline can easily be violated by both state and non-state actors. As with the mandatory SIM card registration, governments usually use security to introduce laws and policies. But you cannot protect people on one hand while violating other rights and freedoms on the other. Security and civil liberties can and do coexist and it is the obligation of the state to balance the two.
*Note: this article is informed by Internet freedom and digital rights training for CSOs I coordinated and co-facilitated in Lilongwe (30-31st July 2019) on behalf of The Collaboration on International ICT Policy in East and Southern Africa (CIPESA).